update package detail

Author: amitguptagwl

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion
 
+**5.5.7 / 2026-03-19**
+- fix: entity expansion limits
+- update strnum package to 2.2.0
+
 **5.5.6 / 2026-03-16**
 - update builder dependency
 - fix incorrect regex to replace \. in entity name

docs/v4, v5/6.HTMLParsing.md

@@ -203,4 +203,23 @@ Output
 </html>
 ```
 
+# Security
+
+FXP faithfully expands DOCTYPE entities per the XML spec. If you render FXP output as HTML, you are responsible for escaping or sanitizing the values. FXP is an XML parser, not an HTML sanitizer. An XML used in different system can have diffrent pattern for a malicious string.
+
+```js
+const xmlData = `<?xml version="1.0"?>
+<!DOCTYPE foo [
+  <!ENTITY qt "<script>alert('XSS')</script>">
+  <!ENTITY gt "">
+]>
+<root>
+  <name>&qt;img src=x onerror=alert(1)&gt;</name>
+  <data>Normal &lt;b&gt;text&lt;/b&gt; here</data>
+</root>`;
+
+const parser = new XMLParser();
+const result = parser.parse(xmlData);
+```
+
 [> Next: PI Tag processing](./7.PITags.md)